From: Rasheim Myers (ramyers@xxxxxxxxx)
Date: Wed Oct 25 2000 - 19:23:33 GMT-3
Hi Tony,
The following inbound access-list line should help solve that problem:
access-list 100 permit tcp any <host ip range> established
note: I don't think you need the "eq ftp" for this line
This will allow the "server" that you have established a connection
with to return packets to your hosts. You used the telnet tcp port
(23) in your email. That is probably just a typo. Remember that FTP
uses 2 ports (21 and 20).
I hope this information helps out.
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Tony Olzak
Sent: Wednesday, October 25, 2000 6:03 PM
To: ccielab@groupstudy.com
Subject: access-list help
This should be simple, and I'm probably making this way too difficult,
but how would you go about this access-list?
This is an inbound access-list on a serial interface. The one line I'm
having trouble with is this:
FTP sessions are only allowed if established by a host on the router's
ethernet segment.
OK, that's great. Any host on the ethernet segment will send packets
to port 23, but returning packets will be to whatever port above 1023
that the host chose to use. If I just say:
access-list 100 permit tcp any <host ip range> establish eq ftp
This would only allow packets IN that are destined for port 23 and
have the ACK bit. This does me no good because the source host is not
using port 23 when trying to initiate an FTP session. If I say to any
port greater than 1023, then I'm allowing traffic that was not
specified in the lab. Am I way off here? If so, how do I do this?
Maybe the author of this practice lab didn't understand this
procedure?
Tony
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 08:25:30 GMT-3